{
  "name": "Dependency triage",
  "objective": "Classify dependency updates into safe patches, deferred upgrades, or human-review items with reproducible evidence.",
  "trigger": {
    "type": "scheduled",
    "cadence_or_event": "Weekly, and on Dependabot, Renovate, or advisory-driven update PRs."
  },
  "intake": {
    "sources": ["dependency update PRs", "release notes and changelogs", "security advisories", "lockfile diffs", "package audit output"],
    "selection_rule": "Group updates by risk: safe patch, minor feature, major migration, security, or blocked; act automatically only on the safe group."
  },
  "workspace": {
    "isolation": "Clean branch or worktree per update group.",
    "allowed_actions": ["run package manager commands", "run tests, typechecks, and builds", "apply low-risk updates", "comment on PRs"],
    "disallowed_actions": ["major version migrations", "runtime version changes", "security-policy changes", "broad multi-group upgrades"]
  },
  "context": {
    "required_files": ["compatibility policy", "supported runtime versions"],
    "runtime_sources": ["recent CI status", "known flaky tests", "prior triage state"]
  },
  "agents": [
    {
      "role": "Classifier",
      "responsibility": "Group updates by risk, security relevance, version change, and blast radius."
    },
    {
      "role": "Implementer",
      "responsibility": "Apply low-risk updates and resolve lockfile conflicts."
    },
    {
      "role": "Verifier",
      "responsibility": "Run targeted tests, typechecks, builds, and package audits."
    },
    {
      "role": "Reporter",
      "responsibility": "Record accepted, deferred, and human-review updates with reasons."
    }
  ],
  "verification": {
    "gates": ["lockfile and manifest are consistent", "relevant tests, typecheck, build, and audit pass", "no skipped migration steps named in changelogs", "diff is limited to the intended group"],
    "receipts": ["package versions and changelog links", "commands run with output", "deferred reasons", "reviewer questions"]
  },
  "state": {
    "artifacts": ["triage report comment", "processed-update ledger"],
    "update_rule": "Record processed update IDs, verification evidence, and deferral reasons after each group."
  },
  "budget": {
    "max_retries": 2,
    "max_runtime_minutes": 60
  },
  "escalation": {
    "conditions": ["major version upgrade", "runtime requirement change", "security advisory with product impact", "licensing concern", "repeated verification failure"],
    "destination": "Issue assigned to the repository owner with the blocked group and evidence"
  },
  "exit": {
    "success": "Safe updates are verified and merged or review-ready, and risky updates are deferred with reasons.",
    "stop_without_success": "Verification fails repeatedly or remaining updates all require human review."
  }
}